===== IBM Spectrum Protect V8.1.2 security updates =====
Secure communicatiosn using SSL
https://www-01.ibm.com/support/docview.wss?uid=swg22004844
http://www-01.ibm.com/support/docview.wss?uid=swg22004844&acss=danl_4681_web
===== TSM server with SSL =====
Starting with Spectrum Protect v8.1.2, SSL connection for **server to server** is required, as well as TSM admin connection **dsmadmc**
Upgrade the server to V8.1.4 or later. Beginning with V8.1.4, servers that use the MD5-signed certificate as the default are automatically updated to use a default certificate with a SHA signature that is labeled "TSM Server SelfSigned SHA Key". A copy of the new default certificate is stored in the cert256.arm file, which is located in the server instance directory.
==== Check the SHA certificate on TSM server ====
On the TSM server check in the folder of the instance in the cert DB **cert.kdb**, if the default certificate is set to **TSM Server SelfSigned SHA Key**, this is a requirement for SSL/TLS 1.2 used in TSM v8.1.2 and later
[root@prtsm01 tsmsrv1]# cd /tsm/tsminst1
[root@prtsm01 tsmsinst1]# ls -l
total 2996
-rw-r--r-- 1 tsmsrv1 tsmsrv 1257 29 janv. 2017 cert256.arm
-rw-r--r-- 1 tsmsrv1 tsmsrv 904 29 janv. 2017 cert.arm
-rw------- 1 tsmsrv1 tsmsrv 80 29 janv. 2017 cert.crl
-rw------- 1 tsmsrv1 tsmsrv 150080 29 janv. 2017 cert.kdb
-rw------- 1 tsmsrv1 tsmsrv 80 29 janv. 2017 cert.rdb
-rw------- 1 tsmsrv1 tsmsrv 129 29 janv. 2017 cert.sth
......
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -list -db cert.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "Entrust.net Secure Server Certification Authority"
! "Entrust.net Certification Authority (2048)"
...
! "Thawte Personal Premium CA"
*- "TSM Server SelfSigned Key"
- "TSM Server SelfSigned SHA Key"
Here in the example, the default certificate used by TSM server is "TSM Server SelfSigned Key", you have to change it:
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -setdefault -db cert.kdb -stashed -label "TSM Server SelfSigned SHA Key"
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -getdefault -db cert.kdb -stashed
Label : TSM Server SelfSigned SHA Key
Key Size : 2048
Version : X509 V3
Serial : 2f367fe63a10f04a
Issuer : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Subject : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Not Before : January 28, 2017 3:02:01 PM GMT+01:00
Not After : January 27, 2027 3:02:01 PM GMT+01:00
Fingerprint :
89cb285d829d54bcd1c147eee4cab54e
82216c5e
Now your default certificate is set to **TSM Server SelfSigned SHA Key**.
To read a specific certificate register into the database, use the label:
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -list -db cert.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "Entrust.net Secure Server Certification Authority"
! "Entrust.net Certification Authority (2048)"
...
! "Thawte Personal Premium CA"
*- "TSM Server SelfSigned Key"
- "TSM Server SelfSigned SHA Key"
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -details -db dsmcert.kdb -stashed -label "TSM Server SelfSigned Key"
Label : "TSM Server SelfSigned Key"
Key Size : 1024
Version : X509 V3
Serial : 4aa858303f98bfef
Issuer : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
Subject : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
Not Before : May 1, 2015 9:44:26 AM GMT+02:00
Not After : April 29, 2025 9:44:26 AM GMT+02:00
Public Key
30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01
...
==== Validate the certicate file to deploy on clients ====
Check if the file **cert256.arm** correspond to your certificate register in the database **cert.kdb**
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -details -file cert256.arm
Label : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Key Size : 2048
Version : X509 V3
Serial : 2f367fe63a10f04a
Issuer : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Subject : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Not Before : January 28, 2017 3:02:01 PM GMT+01:00
Not After : January 27, 2027 3:02:01 PM GMT+01:00
Public Key
30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01
.....
If the file is not the right (not same date or serial), then move the cert256.arm to cert256.arm
then stop your TSM server, and start it again, the file will be regenerate from TSM server based on information stored into cert.kdb
==== Update communication server to server by using SSL certificate ====
For server to server communication, you have to import **cert256.arm** from server TSM1 to TSM2 and vice versa
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -add -db cert.kdb -stashed -label "TSM2 server certificate" -file /tmp/cert256_tsm2.arm -format ascii
On both TSM server you have to set sslports for secure communication:
Protect: TSM01>q opt ssl*
Server Option Option Setting
------------------------- -----------------------------------
SSLDisableLegacyTLS Yes
SSLHideLegacyTLS Yes
SSLInitTimeout 2
SSLTCPPort
SSLTCPADMINPort
SSLTLS12 Yes
SSLFIPSMODE No
If specified **SSLTCPADMINPort** will be used for management and server to server communication, else **SSLTCPPort** (admin port will prevent clients from using TCPport for management and backups).
Update also servers definition on each TSM server
Protect: TSM01>q server TSM02 f=d
Server Name: TSM02
Comm. Method: TCPIP
Transfer Method: TCPIP
High-level Address: 10.10.10.12
Low-level Address: 1500
...
Invalid Sign-on Count for Virtual Volume Node: 0
Validate Protocol: No
Version: 8
Release: 1
Level: 0.0
Role(s): Replication
SSL: No
If SSLADMINPORT is set to 3750 on TSM02, then update using:
Protect: TSM01>update server TSM02 ssl=yes lladdress=3750 forcesync=yes
Then you can test communication on both TSM servers:
Protect: TSM01>TSM02: q se
ANR1699I Resolved TSM02 to 1 server(s) - issuing command Q SE against server(s).
ANR1687I Output for command 'Q SE' issued against server TSM02 follows:
Sess N Comm. Sess S Wait T Bytes S Bytes R Sess Ty Platform Client Name
umber Method tate ime ent ecvd pe
------ ------ ------ ------ ------- ------- ------- -------- ------------------
82 424 Tcp/Ip Run 0 S 4.6 M 143 Admin WinNT TSMM
99 677 Tcp/Ip Run 0 S 162 243 Admin Linux/x8 TOTO
6_64
ANR1688I Output for command 'Q SE' issued against server PRTSM02 completed.
ANR1694I Server TSM02 processed command 'Q SE' and completed successfully.
ANR1697I Command 'Q SE' processed by 1 server(s): 1 successful, 0 with warnings, and 0 with errors.
==== Delete unused certificates ====
Do not suppress required certificates, only additional added certificates, use:
[root@prtsm01 tsmsinst1]# gsk8capicmd_64 -cert -delete -db cert.kdb -stashed -label "FCM server certificate"
==== Using admin command line with SSL ====
Starting with TSM v8.1.2 you must use secure connection to the server for administration.
Commands are the same for Windows and UNIX, just paths change
First copy the file **cert256.arm** form TSM01 server (located in instance home path) to the client (Windows or UNIX)
Using command line, add the server TSM01 certificate to the client, start CMD **run as administrator** :
Check the validity of a file:
C:\Program Files\ibm\gsk8\lib64> "C:\Program Files\ibm\gsk8\bin\gsk8capicmd_64.exe" -cert -details -file "C:\keys\TSM01\cert256.arm"
Label : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Key Size : 2048
Version : X509 V3
Serial : 1327061fd3612122
Issuer : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
Subject : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
Not Before : May 1, 2018 9:44:27 AM GMT+02:00
Not After : April 29, 2028 9:44:27 AM GMT+02:00
Public Key
30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01
00 9A 61 EC 0C A3 27 1F C7 0B 02 E9 CD A0 FB ED
...
Register keys manually into TSM client
C:\Windows\system32> cd c:\Program Files\Tivoli\TSM\baclient
c:\Program Files\Tivoli\TSM\baclient>dsmcert -add -server TSM01 -file C:\keys\TSM01\cert256.arm
IBM Spectrum Protect
dsmcert utility
dsmcert Version 8, Release 1, Level 2.0
dsmcert date/time: 09/27/2017 17:51:31
(c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved.
Result : Success
c:\Program Files\Tivoli\TSM\baclient> cd C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64
C:\>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -list -db "c:\Program Files\Tivoli\TSM\baclient\dsmcert.kdb" -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "Entrust.net Secure Server Certification Authority"
! "Entrust.net Certification Authority (2048)"
! "Entrust.net Client Certification Authority"
! "Entrust.net Global Client Certification Authority"
! "Entrust.net Global Secure Server Certification Authority"
! "Entrust.net Certification Authority (2048) 29"
! "Entrust Root Certification Authority - EC1"
! "Entrust Root Certification Authority - EV"
! "Entrust Root Certification Authority - G2"
! "VeriSign Class 1 Public Primary Certification Authority"
! "VeriSign Class 2 Public Primary Certification Authority"
! "VeriSign Class 3 Public Primary Certification Authority"
! "VeriSign Class 1 Public Primary Certification Authority - G2"
! "VeriSign Class 2 Public Primary Certification Authority - G2"
! "VeriSign Class 3 Public Primary Certification Authority - G2"
! "VeriSign Class 4 Public Primary Certification Authority - G2"
! "VeriSign Class 1 Public Primary Certification Authority - G3"
! "VeriSign Class 2 Public Primary Certification Authority - G3"
! "VeriSign Class 3 Public Primary Certification Authority - G3"
! "VeriSign Class 3 Public Primary Certification Authority - G5"
! "VeriSign Class 4 Public Primary Certification Authority - G3"
! "Thawte Primary Root CA"
! "Thawte Primary Root CA - G2 ECC"
! "Thawte Server CA"
! "Thawte Premium Server CA"
! "Thawte Personal Basic CA"
! "Thawte Personal Freemail CA"
! "Thawte Personal Premium CA"
! TSM01
If the file **dsmcert.kdb** corresponding to the certificate database doesn't exist, create it using:
C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -keydb -create -populate -db dsmcert.kdb -pw password -stash
Now update the file dsm.opt or dsm.sys on UNIX to set the TCPADMINPORT (or if not used the TCPPORT)
c:\Program Files\Tivoli\TSM\baclient>more dsm_tsm01.opt
SErvername tsm01ssl
TCPSErveraddress tsm01
COMMmethod TCPIP
TCPADMINPORT 3750
ssl yes
c:\Program Files\Tivoli\TSM\baclient>dsmadmc -optfile=dsm_tsm01.opt
IBM Spectrum Protect
Command Line Administrative Interface - Version 8, Release 1, Level 2.0
(c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved.
Enter your user id: admin
===== TSMManager and SSL =====
To use SSL on TSMManager, client TSM v8.1.2 must be used
First copy the key to TSMManager server (here example for TSM22)
copy tsm22:/tsminst1/cert256.arm on TSMmanager server in C:\keys\cert256_tsm22.arm
On TSMManager server put this key to the right directory with filename **cert256.arm**
C:\Program Files (x86)\JamoDat\TSMMgr_serv\TSM22\
Go to TSMManger Viewer
Configuration
TSM/ISP servers
you have to adapt the TSM server port to admin SSL Ex 3350 for TSM22
and select Use SSL communication, and validate
Then on the button **SSL certicate handling**
Select the server TSM22, and show certificate details, if nothing, then Add a certificate for server
Else you can delete it
You can also set the certificate using command line, start CMD **run as administrator** :
C:\Windows\system32> cd C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64
C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -list -db "C:\Program Files (x86)\JamoDat\TSMMgr_serv\appfilesssl\dsmcert.kdb" -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! "Entrust.net Secure Server Certification Authority"
! "Entrust.net Certification Authority (2048)"
! "Entrust.net Client Certification Authority"
! "Entrust.net Global Client Certification Authority"
! "Entrust.net Global Secure Server Certification Authority"
! "Entrust.net Certification Authority (2048) 29"
! "Entrust Root Certification Authority - EC1"
! "Entrust Root Certification Authority - EV"
! "Entrust Root Certification Authority - G2"
! "VeriSign Class 1 Public Primary Certification Authority"
! "VeriSign Class 2 Public Primary Certification Authority"
! "VeriSign Class 3 Public Primary Certification Authority"
! "VeriSign Class 1 Public Primary Certification Authority - G2"
! "VeriSign Class 2 Public Primary Certification Authority - G2"
! "VeriSign Class 3 Public Primary Certification Authority - G2"
! "VeriSign Class 4 Public Primary Certification Authority - G2"
! "VeriSign Class 1 Public Primary Certification Authority - G3"
! "VeriSign Class 2 Public Primary Certification Authority - G3"
! "VeriSign Class 3 Public Primary Certification Authority - G3"
! "VeriSign Class 3 Public Primary Certification Authority - G5"
! "VeriSign Class 4 Public Primary Certification Authority - G3"
! "Thawte Primary Root CA"
! "Thawte Primary Root CA - G2 ECC"
! "Thawte Server CA"
! "Thawte Premium Server CA"
! "Thawte Personal Basic CA"
! "Thawte Personal Freemail CA"
! "Thawte Personal Premium CA"
! TSMM_1_TSM11
! 10.10.15.25:1550
! TSMM_1_TSM22
C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -delete -db "C:\Program Files (x86)\JamoDat\TSMMgr_serv\appfilesssl\dsmcert.kdb" -stashed -label "TSMM_1_TSM22"
Check the validity of a file:
C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\lib64>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -details -file "C:\Program Files (x86)\JamoDat\TSMMgr_serv\TSM22\cert256.arm"
Label : CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US
Key Size : 2048
Version : X509 V3
Serial : 1327061fd3612122
Issuer : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
Subject : "CN=TSM Self-Signed Certificate,OU=TSM Network,O=TSM,C=US"
Not Before : May 1, 2018 9:44:27 AM GMT+02:00
Not After : April 29, 2028 9:44:27 AM GMT+02:00
Public Key
30 82 01 22 30 0D 06 09 2A 86 48 86 F7 0D 01 01
01 05 00 03 82 01 0F 00 30 82 01 0A 02 82 01 01
00 9A 61 EC 0C A3 27 1F C7 0B 02 E9 CD A0 FB ED
...
After initiating a connection using **dsmadmc** command, and register keys manually into TSM client
c:\Program Files\Tivoli\TSM\baclient>dsmcert -add -server 10.10.10.123 -file C:\keys\cert256_tsm22.arm
IBM Spectrum Protect
dsmcert utility
dsmcert Version 8, Release 1, Level 2.0
dsmcert date/time: 09/27/2017 17:51:31
(c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved.
Result : Success
c:\Program Files\Tivoli\TSM\baclient>"C:\Program Files\Common Files\Tivoli\TSM\api64\gsk8\bin\gsk8capicmd_64.exe" -cert -list -db "C:\Program Files (x86)\JamoDat\TSMMgr_serv\appfilesssl\dsmcert.kdb" -stashed
c:\Program Files\Tivoli\TSM\baclient>more dsm_tsm22.opt
SErvername tsm22ssl
TCPSErveraddress tsm22
COMMmethod TCPIP
TCPADMINPORT 3350
ssl yes
c:\Program Files\Tivoli\TSM\baclient>dsmadmc -optfile=dsm_tsm22.opt
IBM Spectrum Protect
Command Line Administrative Interface - Version 8, Release 1, Level 2.0
(c) Copyright by IBM Corporation and other(s) 1990, 2017. All Rights Reserved.
Enter your user id: admin
Now TSMManager is green !!! Strange